Audit-1.0.14

From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Boyce, Kevin P. (Melbourne, FL)" Subject: Audit-1.0.14 Date: Wed, 11 Oct 2006 07:49:00 -0400 Message-ID: <04485C8018722949A3DF79E193BB44DB07A50599@xcgfl107.northgrum.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2105417054==" Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k9BBnAZo017739 for ; Wed, 11 Oct 2006 07:49:10 -0400 Received: from xmrt0101.northgrum.com (xmrt0101.northgrum.com [208.20.220.55]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k9BBn7LZ021563 for ; Wed, 11 Oct 2006 07:49:08 -0400 Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============2105417054== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C6ED2B.3DF8318B" This is a multi-part message in MIME format. ------_=_NextPart_001_01C6ED2B.3DF8318B Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I am trying to use a vanilla kernel from kernel.org version 2.6.12 and 2.6.16 with the audit daemon version 1.0.14. I am using ubuntu, so I have used alien to convert the redhat binary packages for an x86_64 architecture into *.deb files. I can install the deb files and the audit daemon runs, but it has trouble parsing the audit.rules file. The error I am getting is "Error sending insert watch request (Invalid Argument)." Please help. I have a requirement to use these two kernel versions, and unfortunately can't use redhat, fedora, or their kernel binaries. I have recompiled my kernel with auditing turned on. I can look in the audit.log file and see events being written there when I start and stop the daemon, so I know the daemon works. I just need to know how to parse the log file correctly. Also when you bypass the log file and just use auditctl -w , the same error is returned. Thanks in advance. Kevin Boyce kevin.boyce@ngc.com ------_=_NextPart_001_01C6ED2B.3DF8318B Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Audit-1.0.14

I am trying to use a vanilla kernel = from kernel.org version 2.6.12 and 2.6.16 with the audit daemon version = 1.0.14. I am using ubuntu, so I have used alien to convert the = redhat binary packages for an x86_64 architecture into *.deb = files. I can install the deb files and the audit daemon runs, but = it has trouble parsing the audit.rules file. The error I am = getting is "Error sending insert watch request (Invalid = Argument)."

Please help. I have a requirement = to use these two kernel versions, and unfortunately can't use redhat, = fedora, or their kernel binaries. I have recompiled my kernel with = auditing turned on. I can look in the audit.log file and see = events being written there when I start and stop the daemon, so I know = the daemon works. I just need to know how to parse the log file = correctly. Also when you bypass the log file and just use auditctl = -w <file to watch>, the same error is returned.

Thanks in advance.

Kevin Boyce
kevin.boyce@ngc.com

------_=_NextPart_001_01C6ED2B.3DF8318B-- --===============2105417054== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2105417054==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit-1.0.14 Date: Wed, 11 Oct 2006 08:24:37 -0400 Message-ID: <200610110824.38005.sgrubb@redhat.com> References: <04485C8018722949A3DF79E193BB44DB07A50599@xcgfl107.northgrum.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <04485C8018722949A3DF79E193BB44DB07A50599@xcgfl107.northgrum.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Boyce, Kevin P. (Melbourne, FL)" List-Id: linux-audit@redhat.com On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL) wrote= : > I can install the deb files and the audit daemon runs, but it has troub= le > parsing the audit.rules file. =C2=A0The error I am getting is "Error se= nding > insert watch request (Invalid Argument)." This is not a parsing error...its worse. The audit 1.0.x series was devel= oped=20 to compliment the RHEL4 kernel. At the time, it was envisioned that the=20 technique used for watches would be accepted upstream. It was rejected du= e to=20 some overlap with inotify, so the watch system was re-written. The audit=20 1.2.x series has the code for the new system. Watches were not accepted=20 upstream until the 2.6.18 kernel. > I have a requirement to use these two kernel versions, and unfortunatel= y > can't use redhat, fedora, or their kernel binaries. They you are limited to inode based auditing. Or maybe if you put the thi= ngs=20 you have to watch onto one partition, you can use devmajor and minor. I'd= try=20 to move to a 2.6.18 kernel with the latest audit package. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Todd, Charles" Subject: Re: Audit-1.0.14 Date: Thu, 9 Nov 2006 14:56:02 -0500 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id kA9JuDeD024033 for ; Thu, 9 Nov 2006 14:56:13 -0500 Received: from extavgw4.ball.com (extavgw4.ball.com [162.18.103.211]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id kA9JuCno001213 for ; Thu, 9 Nov 2006 14:56:12 -0500 Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com > On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL) wro= te: > > I can install the deb files and the audit daemon runs, but it has tro= uble > > parsing the audit.rules file. =A0The error I am getting is "Error sen= ding > > insert watch request (Invalid Argument)." > This is not a parsing error...its worse. The audit 1.0.x series was dev= eloped=20 > to compliment the RHEL4 kernel. At the time, it was envisioned that the= =20 > technique used for watches would be accepted upstream. It was rejected = due to=20 > some overlap with inotify, so the watch system was re-written. The audi= t=20 > 1.2.x series has the code for the new system. Watches were not accepted= =20 > upstream until the 2.6.18 kernel. > > I have a requirement to use these two kernel versions, and unfortunat= ely > > can't use redhat, fedora, or their kernel binaries. > They you are limited to inode based auditing. Or maybe if you put the t= hings=20 > you have to watch onto one partition, you can use devmajor and minor. I= 'd try=20 > to move to a 2.6.18 kernel with the latest audit package. > -Steve Steve, If I'm reading this correctly, you're telling me that the 1.0.14 auditd t= hat ships with RHEL4u3 is immature, at best. Does this mean that I will = never get support for the dispatcher directive in /etc/auditd.conf? I wa= s hoping to use the development Snare scripts that Leigh put together, ma= inly for a unified, centralization of our audit trails, but it doesn't wo= rk if the dispatcher support option is missing. I understand that file watching will not be an auditable event and that I= 'll have to filter out a lot of false positives. I just want to get cent= ralized auditing working without have to script a bunch of it myself. Thanks! Charlie Todd Ball Aerospace & Technologies Corp. ctodd- at -ball -com From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit-1.0.14 Date: Mon, 13 Nov 2006 09:19:44 -0500 Message-ID: <200611130919.44418.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Todd, Charles" List-Id: linux-audit@redhat.com On Thursday 09 November 2006 14:56, Todd, Charles wrote: > If I'm reading this correctly, you're telling me that the 1.0.14 auditd > that ships with RHEL4u3 is immature, at best. No, you are misparsing the problem...he is trying to use that version of audit with plain vanilla linux kernels. When paired with our kernel all is well. > Does this mean that I will never get support for the dispatcher directive > in /etc/auditd.conf? I just about have 1.0.15 finished and it will have the dispatcher interface + some backported code around the time start/end directives and various bugfixes discovered during the LSPP work for RHEL5. > I was hoping to use the development Snare scripts that Leigh put together, > mainly for a unified, centralization of our audit trails, but it doesn't > work if the dispatcher support option is missing. U5 it should be there. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Todd, Charles" Subject: RE: Audit-1.0.14 Date: Mon, 13 Nov 2006 23:17:57 -0500 Message-ID: References: <200611130919.44418.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1104868492==" Return-path: Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb , linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============1104868492== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C707A4.3ADB879B" This is a multi-part message in MIME format. ------_=_NextPart_001_01C707A4.3ADB879B Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thanks Steve. I do actually have a ticket open with RedHat to make this = available for pre-U5 versions, so you may have to pass off to the QC = team. We've had enough fun getting the 2.6.9-42 kernel to not break = out-of tree kernel modules for commercial packages. If I have to build = audit 1.0.15 to be compatible with u3 I'll try to do that. Thanks for your time and help, Charlie Todd Ball Aerospace & Technologies Corp. -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Mon 11/13/2006 9:19 AM To: linux-audit@redhat.com Cc: Todd, Charles Subject: Re: Audit-1.0.14 =20 On Thursday 09 November 2006 14:56, Todd, Charles wrote: > If I'm reading this correctly, you're telling me that the 1.0.14 = auditd > that ships with RHEL4u3 is immature, at best. No, you are misparsing the problem...he is trying to use that version of = audit=20 with plain vanilla linux kernels. When paired with our kernel all is = well. > Does this mean that I will never get support for the dispatcher = directive > in /etc/auditd.conf? I just about have 1.0.15 finished and it will have the dispatcher = interface +=20 some backported code around the time start/end directives and various=20 bugfixes discovered during the LSPP work for RHEL5. > I was hoping to use the development Snare scripts that Leigh put = together, > mainly for a unified, centralization of our audit trails, but it = doesn't > work if the dispatcher support option is missing. U5 it should be there. -Steve ------_=_NextPart_001_01C707A4.3ADB879B Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: Audit-1.0.14

Thanks Steve. I do actually have a ticket open = with RedHat to make this available for pre-U5 versions, so you may have = to pass off to the QC team. We've had enough fun getting the = 2.6.9-42 kernel to not break out-of tree kernel modules for commercial = packages. If I have to build audit 1.0.15 to be compatible with u3 = I'll try to do that.

Thanks for your time and help,
Charlie Todd
Ball Aerospace & Technologies Corp.

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Mon 11/13/2006 9:19 AM
To: linux-audit@redhat.com
Cc: Todd, Charles
Subject: Re: Audit-1.0.14

On Thursday 09 November 2006 14:56, Todd, Charles wrote:
> If I'm reading this correctly, you're telling me that the 1.0.14 = auditd
> that ships with RHEL4u3 is immature, at best.

No, you are misparsing the problem...he is trying to use that version of = audit
with plain vanilla linux kernels. When paired with our kernel all is = well.

> Does this mean that I will never get support for the dispatcher = directive
> in /etc/auditd.conf?

I just about have 1.0.15 finished and it will have the dispatcher = interface +
some backported code around the time start/end directives and = various
bugfixes discovered during the LSPP work for RHEL5.

> I was hoping to use the development Snare scripts that Leigh = put together,
> mainly for a unified, centralization of our audit trails, but it = doesn't
> work if the dispatcher support option is missing.

U5 it should be there.

-Steve

------_=_NextPart_001_01C707A4.3ADB879B-- --===============1104868492== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1104868492==--